Why to whitelist cloudflare ip ranges?

Is it good practice to drop/block every other http(s) requests to origin server except ones coming from cloudflares ip ranges? I think the article below doesn’t really tell why whitelisting is recommended even though it says that in the beginning.


1 Like

If you don’t use a whitelist, anyone on the internet can send requests directly to your server, thereby bypassing Cloudflare. This probably isn’t ideal, especially if you’re using any of Cloudflare’s security features. For example, Cloudflare provides DDoS protection, but it only works when connections go through Cloudflare; if an attacker can make requests directly to your server, it’s not going to do you much good.

Okay, sounds like a good enhancement for security.
Shouldn’t everybody be using the whitelist then who is able?

If you plan to use Cloudflare exclusively, yes.

As Zenexer points out above, the reason for Whitelisting Cloudflare IP’s on your origin and denying all others is so that your origin can only be accessed via Cloudflare and therefore through their firewalls etc.

You ask why everyone isn’t doing this to increase security. There a number of reasons why someone may be able to implement the whitelist, however there is another alternative that Cloudflare supports; Authenticated Origin Pulls.

The long and short of it is, instead of telling your server “Only respond to these IP’s”, you tell your server “Only respond if the server presents this certificate”. This has a number of advantages:

  1. You don’t have a massive list of IP’s to deal with
  2. As long as Cloudflare keeps their private key safe, you won’t have to update it
  3. It’s easier to implement (just a couple of lines) if you have access to the right access to the server and configuration files

The disadvantages are

  1. If you don’t have access to the configuration files, you simply can’t implement this (on shared hosting for example)
  2. If you’re using IIS (like I am for some sites) good luck trying to implement it as the documentation is terrible

I wouldn’t like to say if one is better than the other, they both have advantages and disadvantages. I would say it’s unnecessary to implement both as they both effectively do the same thing. Just pick one that works better for you.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.